STE WILLIAMS

The office of New York Attorney General Eric Schneiderman today released new details on the investigation into fraudulent content submitted during the net neutrality comment process. Updated analysis shows two million comments stole real Americans’ identity. 

Those two million comments included more than 100,000 comments per state from New York, Florida, Texas, and California, which are the most heavily affected states. More than 5,000 people to date have filed reports on identities used to submit fake comments regarding the Federal Communications Commission’s repeal of net neutrality. 

The FCC is scheduled to vote on the repeal today, December 14, and plans to move forward with the vote despite evidence the public comment process was compromised, the AG’s office reports. AG Schneiderman says moving forward with the vote “would make a mockery of our public comment process” and the FCC “must postpone this vote.”

Read more details here and check here to see if your identity was misused.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/2-million-fake-net-neutrality-comments-stole-american-identities/d/d-id/1330647?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Popular consumer “smart” products, including Amazon Echo, Google Home, and Samsung’s Gear S3, are dangerously exposed to airborne cyberattacks conducted via Bluetooth.

Researchers at IoT security firm Armis earlier this year discovered Blueborne, a new group of airborne attacks. The vulnerabilities let attackers take full control of any device running Linux, or OS derived from Linux, putting the majority of IoT devices at risk of exposure. The researchers discussed and demonstrated their latest findings at Black Hat Europe 2017, held last week in London.

Vulnerabilities in the Bluetooth stack have been overlooked for the past decade, they explained. Bluetooth, often perceived as peripheral, could benefit attackers if they successfully break into a high-privilege device. As the researchers demonstrated, one compromised product can spread its attack over the air to other devices within Bluetooth range.

“These attacks don’t require any user interaction or any authentication,” said Armis head researcher Ben Seri in their presentation. Armis experts found 5.3 billion devices at risk and eight vulnerabilities, four of which were classified as critical. These flaws enable attackers to bypass and break into a device without its owner knowing what happened, he explained.

Each vulnerability across the Bluetooth stack is “a testament to the fact that no specific part is vulnerable, but Bluetooth implementations have not been audited enough,” he continued. In general, these implementations are complex and unexamined.

Bluetooth has a large attack surface, Armis researcher Gregory Vishnepolsky said. When Bluetooth is enabled, a device may not be discoverable but it is always listening for incoming connections. Hackers don’t need a device to be discoverable in order to break in, he noted.

Bluetooth devices transmit parts of their MAC addresses over the air. If an attacker is close enough to sniff radio between two communicating Bluetooth devices, they can get 80% of the address from a single packet and brute-force the rest. Open-source hardware tools can do this for as little as $100, he said. Attackers put these devices on networks to listen for packets.

Many OEMs use adjacent MAC addresses for wifi and Bluetooth. Wifi monitor mode detects nearby Bluetooth devices. Seri explained how L2CAP, the Bluetooth equivalent of TCP, is implemented in the kernel. Connecting to an open port doesn’t require authentication, and further, many obscure quality of service features increase the amount of code — and as a result, the attack surface.

To illustrate the vulnerability of Bluetooth, the researchers presented examples of everyday devices that can be compromised. One was the Amazon Echo, which is not equipped with expected stack overflow mitigations KASLR, stack canaries, Fortify_source, NX Bit, or Access Control. With no NX Bit, for example, an attacker can just jump to the shell code in the stack and overflow it.

The researchers did a live demo in which they hacked a Samsung S3 Gear smartwatch, which over Bluetooth hacked a Google Home, which used a Bluetooth connection to break into the Amazon Echo.

“No security mechanisms today are actually looking at Bluetooth communications or non-wifi protocols,” they explained. “This needs to be fixed.”

Related Content:

• Why Hackers Are in Such High Demand, and How They’re Affecting Business Culture
• Malware Decompiler Tool Goes Open Source
• Microsoft Azure AD Connect Flaw Elevates Employee Privilege
• Employees on Public WiFi Rarely Face Man-in-the-Middle Attacks

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/iot/blueborne-attack-highlights-flaws-in-linux-iot-security/d/d-id/1330649?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Destruction, loss of data, intellectual property theft, fraud, embezzlement, disruption to business, restoration—globally, the costs of dealing with hacking are staggering. Yet under US law, it’s illegal to attack the hackers back.

In February, a Georgia Republican introduced a bill to Congress to give legal protection to hacking victims who “hack back” at attackers. The law is continuing to wend its way through the legislative process and might just end up (in some form) as a real a law.

That’s right: you could hit the bad guys back — and hard.

The Active Cyber Defense Certainty (ACDC) Act would amend section 1030 of the Computer Fraud and Abuse Act of 1986 that bars accessing a system that does not belong to you, or distributing code designed to enable unauthorized access to anyone’s system. If the bill passes, it will be legal to do both.

“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” said Rep. Graves in a press release March 3, 2017.

ACDC would allow victims of cybercrime to gain unauthorized access to their attackers’ systems legally, as long as their actions are only meant to identify the attacker or disrupt the attack. The bill doesn’t allow retaliation that destroys the attacker’s data, causes physical injury, or “creates a threat to the public health or safety.”

Though the bill may never become law in this form, it’s certainly opening discussions around “hacking back,” and raises awareness of the difficulty in stopping criminal cyber activity.

High Return, Low Risk. What’s not to Like?
Attackers work anonymously and, largely, with impunity. Billions of dollars are stolen each year, with little to none of it recovered, and the criminals are rarely caught. Even when they are, it’s difficult to prosecute them; it can take years to track them down, build a case, indict and convict them. Moreover, some countries or regions tolerate—or even profit from—cybercriminals’ activities, and offer little help to or even thwart international law enforcement efforts.

If the incentives are good, and the risks low, powerful cybercrime syndicates will continue. And as things currently stand, the law limits CISOs’ options. The hope among leading CISOs is that shifting to offense will change the game. After all, the adversary remains ahead if you simply react to every problem defensively.

But, Hacking Back Is Never as Simple as It Sounds
First there’s the issue of “attribution.” How do you correctly identify your attacker? It’s not as easy as it sounds. What if an attack comes from a botnet? Not one computer, but thousands or millions spread over the globe. Owners of botnet computers may not know they’re contributing to an attack. If your attacker is somewhere in the cloud, good luck finding her. Are you going to strike back against your cloud provider? They’re potentially innocent middlemen.

Second, ACDC wouldn’t allow striking back against distributed denial-of-service (DDoS) attacks, for example, a common attack. DDoS attacks don’t involve unauthorized access. And who are you going to blame? Typical DDoS attacks come from devices that are part of the Internet of Things (IoT). Say Grandma’s digital picture frame routed requests in a DDoS attack. Are you going to hack back against Grandma?

Third, what if your attacker is not on US soil? You will not be legally protected if you’re retaliating in another country with different laws. In fact, you could find yourself being the one carted off by the police or buried in lawsuits.

Strike Back Already Exists for the Largest Tech Players
If the problem is large, those with resources — primarily large IT vendors — will work with law enforcement to stop attackers. When your actions are sanctified by the authorities, it isn’t vigilantism. It helps if you’re a large company with a good legal team. In fact, many large IT vendors hire ex-DOJ prosecutors and investigators as company liaisons with law enforcement.

For example, Microsoft security researchers aided international law enforcement agencies to disrupt one of the most widely distributed malware families, “Dorkbot,” estimated to have infected more than 1 million PCs in more than 190 countries. In another instance, a collaboration between Trend Micro, INTERPOL, Microsoft, Kaspersky Lab, and the Cyber Defense Institute resulted in the destruction of the notorious SIMDA botnet.

How You Can Strike Back Now
Hack backs can take several forms that you can take advantage of without the additional legal protection of the proposed ACDC law. A less legally risky defense is to set up “honeypots,” or fake servers and services to lure attackers in. Once attackers have entered your network, you can sinkhole their traffic, feed them fake data, and confuse them with false systems. Studies have shown deceptive defenses do deter attacks. Best of all, deceptive defense would meet the goals of the ACDC, since you are simultaneously disrupting the attack and gathering information about the attacker.

Moreover, it’s passive, not active. With deceptive defense, you don’t go to them, the bad guys come to you. The disruption and spying happens on your equipment, on your premises, where you have a legal right to be — and the hacker doesn’t.

You can even put up warning banners: Warning—this system is the property of XYZ bank. Unauthorized users consent to being recorded and allowing XYZ to take measures to disable unauthorized access to the extent necessary to stop the illegal activity and support law enforcement investigations. An alert like this should get you off the legal hook for any defensive moves you make.

If it happens, the ACDC debate is going to be interesting to watch. Though the bill is unlikely to pass as it is, if it comes up for debate, it’s certain to spark discussions. In the meantime, CISOs have other options, such as deceptive defenses.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/is-a-good-offense-the-best-defense-against-hackers/a/d-id/1330617?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

News headlines often focus on the hackers who launch cyber attacks and leak confidential data such as National Security Agency exploits, sensitive political emails, and unreleased HBO programming, but hackers can also affect organizations in positive ways. White hat hackers (as opposed to black hats) increasingly are finding employment in companies as security researchers.

From conducting penetration tests and identifying vulnerabilities in software to providing companies with guidance about emerging threats, white hat hackers bring considerable value to organizations and play an instrumental role in helping them defend against today’s advanced threats. White hats are highly coveted not only for their knowledge but also for their unique mindsets and ability to change corporate culture.

Hacker Expertise
Until relatively recently, there was little to no formal education for cybersecurity; hands-on hacking was the primary way to be trained in the profession. Although unconventional, this method has proven to be both effective for hackers and beneficial for the organizations that employ them.

For example, given the ever-evolving nature of the cybersecurity landscape, hackers have become adept at learning about new technologies and vulnerabilities, whether through independent research or by collaboration with other hackers in communities and forums (Cybercriminals, for example, often discuss their strategies on Dark Web forums). When faced with new technologies, white hats typically will strive to achieve mastery, because that’s what it takes to identify potential network vulnerabilities and find ways to break into devices and systems.

Hackers typically are proactive in their approach to security and often have an innate inquisitive mentality — a combination that is ideal for helping businesses stay up to date with new threats and vulnerabilities. Rather than only addressing current problems and risks, a trap that many companies fall into, white hat hackers also make sure their organizations are considering potential issues as well as emerging attack vectors and threats.

And because hackers are more in tune with the newest hacking tools and techniques through their involvement in hacking communities and forums, they can sometimes even predict the characteristics of emerging malware. When companies start to incorporate the expertise of these white hats, they are able to create stronger security programs that are built to successfully defend against today’s advanced threats.

Security and non-security organizations alike increasingly are capitalizing on the knowledge and mindset benefits that hackers provide. This is driven by a dire economic need to improve cyber defenses. Ransomware attacks alone are expected to cost companies $5 billion in 2017 (15 times more than the $325 million they cost in 2015), and it is projected that cyber attacks in general will cause $6 trillion in damages annually by 2021 (versus $3 trillion in 2016).  

The increase in demand for white hat hackers also can be attributed to a growing awareness of the value they provide, which has largely spread through bug bounty programs. Companies that offer bug bounty programs effectively gain access to hundreds of hackers, who often are able to identify serious vulnerabilities in their systems; their success reinforces the potential business value of having those hackers work for them in-house full-time. 

Creating a Security-Minded Culture
White hat hackers not only help organizations bolster their security strategies, they also can have a profound impact on corporate culture. Their desire for knowledge, proactive nature, and inquisitive attitude can rub off on their colleagues, who can benefit from these characteristics by better developing and maintaining an understanding of today’s constantly changing technologies. With the ability to understand a company’s security posture from a hacker’s perspective, a white hat mindset drives collaboration. Focusing on security from the beginning encourages the development of a security-minded culture within organizations, which leads to better overall security posture.

Many companies focus on trying to protect themselves from threats. However, this strategy results in wasted budget and resources, and frees employees from accountability. Instead, companies need to prioritize security best practices throughout all stages — and hackers are often the ones pushing IT and executives to think about security programs proactively instead of implementing changes reactively in the aftermath of a breach.

Being security-minded means providing extensive training for employees; defining metrics to track success; enforcing those metrics through awareness, gamification, and positive reinforcement; and, ultimately, implementing strategies to improve employee behaviors as well as the company’s overall security posture. It’s about setting the bar high and then continuing to raise it — and in cybersecurity, white hat hackers are the heavyweights.

Related Content:

• 6 Personality Profiles of White-Hat Hackers
• What Slugs in a Garden Can Teach Us About Security
• Cyber Attack: It Can’t Happen to Us (Until It Does)

Jaime Blasco is a renowned security researcher with broad experience in network security, malware analysis, and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/why-hackers-are-in-such-high-demand-and-how-theyre-affecting-business-culture/a/d-id/1330598?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Anti-malware vendor Avast has donated its homegrown malware decompiler tool to the open-source community.

Avast’s RetDec basically converts a piece of malware into a higher-level programming language and helps malware analysts unmask the inner workings and functions of its code. “It turns it into something that looks like the original source code,” says Jakub Kroustek, threat lab team lead at Avast. “It’s much easier” and more efficient to sleuth just what the malware can do when it’s decompiled, he notes.

“We’re facing millions of new samples of malware each day. We’re not deeply analyzing all of them, but by using decompilation we can handle some” more closely and quickly, says Kroustek, founder of the tool.

Researchers at Avast used the tool to decompile ransomware strains including Apocalypse, BadBlock, Bart, CrySIS, and TeslaCrypt, and then offer free decryption tools for the ransomware.

Decompiler tools provide static analysis of code, where researchers don’t actually run the code but instead study it, up close. Dynamic analysis is another method, where a researcher executes malicious code in the safety of a sandbox environment to study how it runs in action. “Sometimes it’s right to use a sandbox, and other times it’s beneficial to use a decompiler,” he says. “In my case, I usually use both. When you’re fighting bad guys, you trying using every leverage” you can, he says.

RetDec was first created in 2011 by researchers at the Czech Republic’s Brno University of Technology and AVG Technologies, and the tool became Avast’s last year after it acquired AVG. Kroustek says Avast hopes to get other security experts to help further its development as an open source tool, which is aimed at researchers and reverse-engineers.  

Decompilation tools are nothing new. There are commercial products, which can be pricey and limited in customization, Kroustek says, while there are other open-source decompiler tools such as DCC, Boomerang, and Snowman, for example.

“While good decompilation tools are available that deliver good results, many are paid products, however, these cannot be easily extended with custom features,” he says. “On the other hand, users can utilize existing, free, open-source decompilers, but these do not always achieve proper stability, code readability and quality.”

John Bambanek, threat systems manager with Fidelis Cybersecurity, who also teaches at the University of Illinois at Urbana-Champaign, says an open-source decompiler such as Avast’s can be especially helpful for academia. “I have limited funds and buying a bunch of IDA [Hex-Rays decompiler product] seats isn’t going to happen. With something open-source, assuming it can get the job done, provide a great resource for me to produce more reverse engineers,” he says.

Avast says the now open-source tool works on multiple architectures, file formats, and operating systems, and can be used for more than decompilation, too. It uses C and Python-type language for output, and runs on Linux and Windows platforms. RetDec source code and related tools are available now on GitHub, under an MIT license.

“If someone isn’t focused on decompilers, he or she can just use the libraries for detection of particular patterns” in the malware, for example, Kroustek says.

Related Content:

• Ransomware Meets ‘Grey’s Anatomy’
• Post-Breach Carnage: Worst Ways The Axe Fell in 2017
• 121 Pieces of Malware Flagged on NSA Employee’s Home Computer

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/malware-decompiler-tool-goes-open-source/d/d-id/1330639?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple